Does It Really Matter How Complex Privacy Policies Are?

from the not-really dept

Slashdot points out that a recent study of various privacy policies shows that most are at an extremely high reader level, in some cases ridiculously high. Of course, this is used to suggest that people don't understand the privacy policies they read -- but that's been known for years. But the issue has little to do with the policies themselves, because no one tends to read them, no matter how readable (or not) they are. In fact, many people falsely assume that the very presence of any policy means that their privacy is safe. So, even if a site has a privacy policy that says "you have no privacy, and we'll reveal all your data to whoever pays top dollar," people won't read it and will assume that a site will keep their data private. That's because people assume that any privacy policy means the site takes privacy seriously, even if that's not the case. Given that, it doesn't really matter how readable the privacy policy is, people aren't going to read it and aren't going to pay attention to what it says if they do read it. It seems like privacy policies, in general, are simply a relic of a legal system, rather than anything actually useful. Instead of focusing on the readability of privacy policies, shouldn't we be looking for a better solution altogether?

Reader Comments

Recently I've even come across software where you actually had to scroll down to the end of the EULA before the Next button was enabled. Clever trick, but except for the very first time when I was stumped for a good 10mins., now it's just become one more (irritating) step in the routine.

So while readability does indeed make a difference and following the KISS principle would make it more likely to be read, I'm not too sure what can be done about the fact that we all seem to be in a tearing hurry nowadays for some reason...

I completely agree. I try to read the privacy agreements b/c I want to make sure they're not throwing in some killer clause. But most of the time it's a bit of a pain. I just assume they're going to sell my contact info and then just wait for GMail to let me mark it as spam.

But I'm sure the reason that most of these agreements are so long still is b/c people will sue companies for anything just to get a buck. It all comes back to the McDonald's coffee incident years ago when the woman sued McDonald's b/c SHE spilt her coffee in her lap and burned herself b/c there was nowhere on the cup that said "Caution: Hot." It's b/c of her that people realized they can pretty much sue for anything, no matter how ridiculous, and win $$$. That just trickles down to everything else such as the Privacy Policy. If it's not written out or the words aren't carefully crafted so that people can't find loopholes in the writing then someone will find a way to sue for something stupid.

That's also why you get companies like Google who have recently come under fire for their EULA. I don't know the exact story, but I'm sure it's a case of "copy and paste policy" syndrome and forgetting to completely vet it through legal to make sure it made sense for that specific product. If one privacy policy works then it should work for all the other products...or at least that's what most companies will assume.

Honestly, I'd feel safer agreeing something that said,

"We value your privacy while using our service. However, we do need to make money because we're giving you a free service and the only way to do that is to sell some bits of personal information like First name, Last name, Email address only. Because we value your privacy, you have the option (below) to NOT allow your personal information to be shared with third-party services. You can change your options at anytime from your Account preferences. Thanks for understanding and realizing we need to make a buck or two to keep this service free...otherwise we'd be charging you...and you wouldn't really keep using it if it wasn't free, now, would you? We thought so.

For many years we have all received "privacy policy" statements in the mail from organizations such as our credit card companies and banks. The first thought, and the mistake that most people make, is to assume that the fact that one has received the policy means that their privacy is being respected.

However, overwhelmingly what is happening is exactly the opposite - reception of a privacy policy typically means that the company is informing you that as a consumer you are losing privacy - and they're just "warning" you about that so when they disclose your information you will have less grounds to sue them.

RE: a better solution

Like everything else in the Internet world privacy must be regulated by a an arbitrary and agreed upon standard. Think of DNS spoofing. In order to stop man in the middle attacks and phishing companies like verisign popped up who were able to verify the validity of a web page. The next market segment seems to be privacy policies which are verified and certified by a third party.

I always assume the Privacy Policy is

I always assume the Privacy Policy is an statement of how your privacy will be violated.

The privacy policy that you get in the mail from the bank/credit-card/insurance/grocery store are simply giving the company permission to violate your privacy. They are a formal statement of "Your privacy is valuable to us, and this is how we are going to get value from your privacy."

Companies realize that your private information is valuable and now the company has another revenue stream; selling your private information.

I am always concerned when another "Privacy Policy" shows up on my door step. Another company has recognized that it has some of my private information, it is valuable and the company is now trying to find the best way to maximize profit on my private information.

Re:

Re:

Certainly some percentage start reading and give up, but I'd put my money on the majority not even trying to read it.
I think commenter Govy said it all. The only thing I can add is if EULAs and Privacy Statements are not on purpose written to be hard to understand - and I think that is true - maybe we should blame the reading level of the average user, which is, in turn, a vilification of the education system, insofar as the proper teaching of the English language.
This is a bit off topic, but having several foreign co-workers and having been a military linguist I am fairly confident that the vast majority of native American English speakers drench their speech in colloquialism and jargon to the point of making much of what they say ambiguous, albeit understandable to fellow native speakers.
In other words, we have allowed our language to diverge from what we now call "legalese."

Until There's Something Better

Given that, it doesn't really matter how readable the privacy policy is, people aren't going to read it and aren't going to pay attention to what it says if they do read it. It seems like privacy policies, in general, are simply a relic of a legal system, rather than anything actually useful. Instead of focusing on the readability of privacy policies, shouldn't we be looking for a better solution altogether?

We should absolutely be looking for a better solution, but while it's likely that technology will provide it, law still has a place.

Personally, I often judge a site based on how simple it's privacy policy (and terms of service) are. The more complex, the more they're trying to hide something. People don't read these things because they've learned that they are complex, take too much time, and generally people don't care.

I agree completely that most people on the web think that if a site has link to a "privacy policy" they wrongly assume their privacy is protected. But it's when someone discovered an egregious breach of what they thought their privacy rights were, they wish they had read the policy.

The policy is primarily for the protection of the web site or service provider and only secondarily for the user, and in that they are useful.

If privacy policies are a relic of the legal system, what are possible solutions to protecting user privacy (assuming that's a goal) or at least informing users about what information is collected and what is done with it?

"I think that most privacy policies are written to cover the website owner's @rse first and inform their hapless audience second."

yep! So if no one reads them and they aren't really good for anything until a site gets big enough to sue BASED on them if a violation occurs (and let's see someone try and prove it in 90% of the cases) what are they good for?

Most sites on the web don't make any or much money. So if they violate their own "policy" what real recourse does the offended party have?

privacy policy law

Privacy policies are governed in good part by contract law. Contract law is a two-way street. Just as banks, web administrators and software vendors can communicate to visitors/customers what they assert to be the legal terms, customers can communicate back!

In principle, contract law does not favor either businesses or customers/users. As the future of privacy law unfolds, individuals may be able to use contract law to assert their legal terms on other parties, such as search engines or advertisers. Why shouldn't a consumer be able to broadcast what she expects to be the legally binding terms under which she does business? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html My ideas are not legal advice for any particular situation; they are just ideas for public discussion.

Re: privacy policy law

Ben, I like your Idea, but the pessimist in me says it is more likely that Europe's privacy laws will mirror America's than vice versa.

For one thing the user is caught in a bind, they have nothing to bargain with besides their business and with current trends there is no real competition in terms of privacy standards, you either want to use their service badly enough that you sign or you go without.

Another problem is that, at least in america, in every privacy policy there is a clause that allows the companies to change their policy at will. this is also allowed in contracts, and since the user don't have a position in which to bargain...

Privacy Policy

complexity = uneforceable = problems

Actually, I think that someone did this kind of research is great and important for the people drafting these ridiculous documents. A privacy policy is a contract between the user and the website/company. If it's too complicated for most people to understand (or if most people never read it), it's unenforceable in the event of a legal dispute between the user and the website/company.

Now, it does precious little for the user to have a privacy policy deemed unenforceable, which would mean the website/company is not in fact bound by its terms. BUT, if websites/companies are required to have privacy policies (see California), THEN they must have privacy policies and not a bunch of legally unenforceable words. A totally incomprehensible privacy policy could get a website/company in trouble with the state. Additionally, if it's unenforceable, then the company can't assert any rights that it may claim in the policy either.

So, this may not mean much for users, but it should mean a lot to websites/companies and their attorneys who draft these things.